I have a problem. I have setup L2TP site-to-site tunnel. I am monitoring this tunnel with SNMP. The problem is that from time to time the connection drops, and immediately reconnects. When reconnecting it creates virtual interface with < and > brackets around name: /interface/l2tp-server/add name=&q...

I have two questions reagrding identity /ip/ipsec/identity selection. 1. can the same identity be shared among several peer configurations? I read somewhere that it can, but from what I see the peer=xxx field is mandatory in identity. 2. How Mikrotik selects the identity when working as INITIATOR? M...

The Mikrotik documentation often assumes the reader is familiar with the standards regarding the protocol (...) send-initial-contact literally means "send the INITIAL_CONTACT IKE notification", which suggests the recipient to drop any already existing connections authenticated using the s...

It's actually a misconception I've suffered from myself for years. The send-initial-contact parameter has nothing to do with controlling whether the peer will initiate connections or not - this is what the passive parameter controls. INITIAL_CONTACT is an optional notification, asking the peer rece...

I have a question: What is the relation between send-initial-contact and passive parameters found in peer configuration under ipsec? What does it mean for mikrotik (how it affects behavior) if a mikrotik router is working as ipsec initiator if it has: a) send-initial-contact=no passive=no b) send-in...

The following is IMO one of the very best guides on creating your IPSec under MikroTik MikroTik IPSec ike2 VPN server: easy step-by-step guide by Nikita Tarikin Unfortunately this is NOT explaining anything else than MTU size (maximum trasfer unit). There is a 'ready' configuration given and there ...

Huge thanks! I am one small step further. "Mikrotik looks for a corresponding static policy linked to that peer" Can you please clarify how can you assign "static policy" linked to peer? I do not see "policy" field in 'peer' and no such thing in 'idenity'. Do you mean, ...

I am struggling to understand IPSEC in Mikrotik. There is a wiki article but it is very incomplete. Does anybody know where can I find information HOW EXACTLY mikrotik uses each part of configuration (profile, proposal, policy, policy group, peer, identity etc.). I understand how IPSEC works, but I ...

+1` transition mechanisms will be more and more important. We are planning to migrate internal company structure to IPv6. And we will have to decide if to drop Mikrotik or to use some not elegant solution like extra server which is a pain becouse we manged to get rid of servers in many locations.

Just in case (google points here) below is a working configuration of ipsec ikev2 / psk vpn: notes: 1.this configuration is NOT touching the "default" profile, "default" identity etc. So it should work in parallel with other VPN types, for instance in paralell with L2TP/ipsec VPN...

Here is a working configuration of ipsec ikev2 / psk vpn: notes: 1.this configuration is NOT touching the "default" profile, "default" identity etc. So it should work in parallel with other VPN types, for instance in paralell with L2TP/ipsec VPN which is creating dynamic identity...

I was trying to do something mikrotik only. Without adding complexity and another scripts to servers which would add another thing to maintain etc. My latest attempt is to try to guess by amount of traffic: /ip firewall filter add action=add-src-to-address-list address-list=rdp_whitelist \ address-l...

I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is just another brute force attempt. I was trying something like": chain=forward action=add-src-to-address-list connection-state=establishe...